Skip to Content
Security & TrustSecurity Overview

Security Overview

TAPP is an edge monitoring system for industrial plants — boilers and steam systems, and the broader mix of critical and rotating equipment around them: chillers, tanks, motors, pumps, and water chemistry controllers. It reads equipment-health data and sends it to the cloud so plant operators get real-time visibility. Because it lives on the same site as critical equipment, security is not a feature bolted on afterward; it is the organizing principle of the design. Any equipment with a control system connects only to the equipment side of the TAPP Gateway, a one-way data transfer gateway that lets equipment data flow out while allowing nothing back in — and everything TAPP puts on your network is outbound-initiated, single-endpoint, and read-only.

This page is the one-page posture summary. Each area links to a detail page for depth.

Posture at a Glance

Security AreaTAPP Posture
Equipment isolationOne-way data transfer gateway (the TAPP Gateway); control systems isolated from the customer network
Data in transitTLS encryption (MQTT over TLS to AWS IoT Core port 8883)
Data at restStored in AWS (US region); encrypted at rest per AWS defaults
Network footprintOne device, one MAC address on customer network; all traffic outbound-initiated
Remote accessTailscale (WireGuard VPN); outbound-initiated; no inbound firewall rule required
Data collectedEquipment performance telemetry only — no process recipes, no control logic, no PII
Sub-processorsAWS (IoT Core, S3, compute)

The Pillars

Equipment isolation. Control systems — a boiler, a chiller, a water chemistry controller, or any other critical equipment — connect only to the equipment side of the TAPP Gateway. The TAPP Gateway is a one-way data transfer gateway: equipment data flows out to the network side, and nothing can flow back to the equipment side. That one-way behavior is a property of the hardware, not a software setting, so it cannot be reconfigured or overridden remotely. See System Architecture.

Data & telemetry. TAPP collects equipment performance telemetry only — controller data, operational state, faults, and wireless sensor readings. No process recipes, no control logic, no personally identifiable information. See Data & Telemetry.

Network footprint. TAPP presents as a single device with one MAC address on your BMS VLAN. All traffic is outbound-initiated, so no inbound firewall rules are required. See Network Requirements.

Remote access. TAPP manages the Network Router over Tailscale  (a WireGuard-based mesh VPN). The tunnel is outbound-initiated and cannot cross the TAPP Gateway to reach the equipment side. See Remote Access.

Common questions. The Security FAQ pre-answers the questions a security reviewer is most likely to ask, in vendor self-assessment format.

Last updated on